NetApp ONTAP
Why This Matters
The previous eight pages built the storage evaluation from the ground up: foundational concepts (01), the VMware baseline (02), protocols (03), architectures (04), SDS platforms (05), the Kubernetes storage model (06), data protection (07), and advanced topics (08). Those pages focused on the HCI storage layer -- Ceph/ODF for OVE, Storage Spaces Direct for Azure Local -- because that is where each candidate platform diverges most sharply. But there is a storage constant in this evaluation that none of the candidates will replace: NetApp ONTAP.
The organization runs NetApp ONTAP as its external enterprise storage platform alongside VMware vSAN. ONTAP serves NFS datastores, iSCSI LUNs, CIFS/SMB shares, and provides data services (SnapMirror replication, snapshots, encryption, deduplication) that the HCI layer does not replicate at the same maturity level. Regardless of which IaaS platform wins, ONTAP persists. The question is not whether to keep ONTAP -- it is how each candidate platform consumes ONTAP.
For a Tier-1 financial enterprise running 5,000+ VMs, this page answers four critical questions:
-
Architecture depth. What are the internal mechanisms of ONTAP -- WAFL, aggregates, SVMs, FabricPool -- that make it a 25-year enterprise storage incumbent? The evaluation team must understand these internals to ask precise questions about integration, performance, and data protection.
-
Integration with OVE via Trident. OpenShift Virtualization Engine consumes ONTAP through the Trident CSI driver, which maps Kubernetes PVCs to ONTAP FlexVolumes, LUNs, and qtrees. This is the most critical integration path in the evaluation because it determines whether existing ONTAP investments -- volumes, snapshots, replication topologies -- survive the migration intact.
-
Integration with Azure Local. Azure Local consumes ONTAP via SMB shares and iSCSI LUNs, with a thinner integration layer than Trident. Understanding this gap is essential for comparing the two self-operated candidates.
-
Migration path. Existing ONTAP volumes currently served as VMware datastores can be imported into Kubernetes via Trident's volume import feature -- converting NFS-backed VMDKs or iSCSI LUNs into Kubernetes PVs without data copy. This is a material advantage for OVE over Azure Local.
Concepts
1. ONTAP Architecture
Hardware Platforms
NetApp sells ONTAP on three hardware families. The choice of hardware determines raw performance (media type, controller throughput) but ONTAP's software capabilities -- WAFL, snapshots, SnapMirror, encryption, multi-tenancy -- are identical across all platforms.
| Platform | Target Workload | Media | Controller | Typical Use Case |
|---|---|---|---|---|
| FAS (Fabric-Attached Storage) | Capacity-optimized mixed workloads | HDD + SSD (Flash Cache) | Dual-controller HA pair | File shares, archive, secondary storage, SnapVault targets |
| AFF A-Series (All Flash FAS) | Performance-optimized primary workloads | All NVMe SSD | Dual-controller HA pair | Databases, VDI, latency-sensitive VMs, primary datastores |
| AFF C-Series | Capacity-optimized all-flash | QLC SSD (high density) | Dual-controller HA pair | Large dataset consolidation, replace HDD tier with flash economics |
| ASA (All-SAN Array) | Block-only SAN workloads | All NVMe SSD | Dual-controller HA pair (active/active symmetric) | Oracle RAC, SQL Server FCI, pure block environments |
ASA vs AFF distinction: AFF systems are "unified storage" -- they serve NAS (NFS/SMB) and SAN (iSCSI/FC/NVMe-oF) simultaneously. ASA systems are SAN-only but provide symmetric active-active controllers (both controllers actively serve I/O to the same LUNs with automatic path optimization), which simplifies multipath configuration and maximizes SAN performance. For this evaluation, AFF is the relevant platform because we need unified protocol support (NFS for datastores, iSCSI/NVMe-oF for block, SMB for Windows workloads, S3 for object tiering).
Data Hierarchy
ONTAP organizes storage in a strict hierarchy. Understanding this hierarchy is essential for capacity planning, performance isolation, and multi-tenancy design.
ONTAP Data Hierarchy
======================
Cluster (e.g., "ontap-prod-zh")
|
+-- Node A (physical controller)
| |
| +-- Aggregate aggr1_a (RAID group of physical SSDs)
| | |
| | +-- FlexVolume vol_nfs_ds01 (thin-provisioned)
| | | |
| | | +-- /nfs_datastore_01 (NFS export -> VMware datastore)
| | | +-- .snapshot/ (snapshot directory, hidden)
| | |
| | +-- FlexVolume vol_iscsi_db
| | | |
| | | +-- LUN /vol/vol_iscsi_db/db01.lun (iSCSI target)
| | | +-- LUN /vol/vol_iscsi_db/db02.lun
| | |
| | +-- FlexVolume vol_cifs_share
| | |
| | +-- Qtree qt_finance (SMB share with quota)
| | +-- Qtree qt_hr (SMB share with quota)
| |
| +-- Aggregate aggr2_a (separate disk pool)
| |
| +-- FlexVolume vol_s3_bucket
| |
| +-- S3 Bucket "backup-prod" (native ONTAP S3)
|
+-- Node B (HA partner)
| |
| +-- Aggregate aggr1_b
| |
| +-- FlexVolume vol_nfs_ds02
| +-- FlexVolume vol_snapmirror_target (replication destination)
|
+-- SVM (Storage Virtual Machine) "svm-prod"
| | Logical tenant -- owns volumes, LIFs, protocols
| | Maps to: vol_nfs_ds01, vol_iscsi_db, vol_cifs_share
| |
| +-- LIF (Logical Interface) lif-nfs-01: 10.1.1.10 (NFS)
| +-- LIF lif-iscsi-01: 10.2.1.10 (iSCSI)
| +-- LIF lif-mgmt-01: 10.3.1.10 (Management)
|
+-- SVM "svm-dr"
| Replication target SVM (SnapMirror destination)
+-- LIF lif-nfs-dr: 10.1.2.10 (dormant, activated on failover)Key hierarchy rules:
- A cluster contains 2-24 nodes (controllers). Nodes operate in HA pairs -- each pair shares disk shelves and provides transparent failover.
- An aggregate is a RAID group composed of physical SSDs or HDDs owned by a single node. Aggregates are the unit of physical capacity and performance isolation. You cannot span an aggregate across nodes.
- A FlexVolume is a logical volume carved from an aggregate. Volumes are thin-provisioned by default -- they consume physical space only as data is written. Volumes are the unit of snapshots, replication (SnapMirror), quotas, and tiering (FabricPool).
- A LUN lives inside a FlexVolume and presents a block device to SAN clients (iSCSI/FC/NVMe-oF). LUNs have their own space reservation settings independent of the volume.
- A Qtree is a sub-directory within a FlexVolume that enables per-directory quotas, security styles (UNIX/NTFS/mixed), and oplock behavior. Trident's
ontap-nas-economydriver uses qtrees to multiplex many PVCs onto a single FlexVolume.
SVM Multi-Tenancy
SVMs (Storage Virtual Machines, formerly called Vservers) are ONTAP's multi-tenancy construct. Each SVM is a logically isolated storage tenant with its own:
- Volumes and LUNs -- a volume belongs to exactly one SVM
- Network interfaces (LIFs) -- each SVM has its own IP addresses; clients connect to SVM LIFs, not node management IPs
- Protocol configuration -- NFS exports, iSCSI targets, SMB shares, S3 buckets are scoped to the SVM
- Authentication -- each SVM can have its own LDAP/AD binding, local users, and RBAC policies
- Namespace -- the SVM's junction path tree (
/vol/vol_nfs_ds01,/vol/vol_cifs_share) is isolated from other SVMs
SVM Multi-Tenancy Model
=========================
ONTAP Cluster
+---------------------------------------------------+
| |
| SVM "svm-production" SVM "svm-dev" |
| +---------------------+ +------------------+ |
| | NFS, iSCSI, SMB | | NFS only | |
| | 10 volumes | | 3 volumes | |
| | LIF: 10.1.1.10-15 | | LIF: 10.1.2.10 | |
| | AD: prod.corp.local | | AD: dev.corp.local||
| | QoS: min 10K IOPS | | QoS: max 5K IOPS| |
| +---------------------+ +------------------+ |
| |
| SVM "svm-k8s-trident" SVM "svm-dr" |
| +---------------------+ +------------------+ |
| | NFS, iSCSI | | SnapMirror dest | |
| | Trident-managed vols | | Read-only vols | |
| | LIF: 10.1.3.10-13 | | LIF: 10.1.4.10 | |
| | Delegated admin | | Activated on DR | |
| | role: trident-admin | | | |
| +---------------------+ +------------------+ |
| |
| Admin SVM (cluster-level management) |
| Not used by data clients |
+---------------------------------------------------+Why SVM matters for this evaluation: When OVE consumes ONTAP via Trident, Trident authenticates to a specific SVM. Creating a dedicated SVM for Kubernetes (e.g., svm-k8s-trident) isolates Kubernetes-provisioned volumes from VMware-consumed volumes, prevents namespace collisions, enables independent QoS policies, and limits the blast radius of misconfigurations. This is a best practice that NetApp explicitly recommends for Trident deployments.
Clustering and Non-Disruptive Operations (NDO)
ONTAP clustering enables non-disruptive operations -- the ability to perform hardware maintenance, software upgrades, and data migrations without interrupting client access. This is critical for a Tier-1 financial enterprise with 24/7 uptime requirements.
Key NDO capabilities:
- Aggregate relocation (ARL): Move an entire aggregate from one node to another within the cluster. Data stays on the same physical disks -- only the controller ownership changes. Used during controller upgrades.
- Volume move: Migrate a FlexVolume from one aggregate to another (same or different node) while clients continue accessing the volume. ONTAP redirects client I/O transparently during the cutover (sub-second pause). Used for capacity rebalancing and performance tiering.
- LIF migration: Move a network interface from one port/node to another. Client connections are redirected automatically (for NFS, the client's TCP session reconnects transparently; for iSCSI, ALUA path preference updates).
- Rolling upgrades: Upgrade ONTAP software on one node at a time while the HA partner takes over its workload. A 2-node HA pair upgrade involves two takeover/giveback cycles with zero client downtime.
FabricPool Tiering
FabricPool enables automatic tiering of cold (infrequently accessed) data blocks from the local SSD aggregate to an object storage target, reclaiming expensive SSD capacity for hot data.
FabricPool Tiering Architecture
==================================
Hot Data (frequently accessed) Cold Data (inactive > N days)
+---------------------------+ +----------------------------+
| Local SSD Aggregate | ------> | Object Store Target |
| (performance tier) | tiering | (capacity tier) |
| | policy | |
| AFF A800 NVMe SSDs | | - ONTAP S3 (on-prem FAS) |
| Sub-ms latency | | - StorageGRID |
| $$$ per GB | | - AWS S3 |
+---------------------------+ <------ | - Azure Blob |
on-read | - Google Cloud Storage |
fetch | 10-100 ms latency |
| $ per GB |
+----------------------------+
Tiering Policies (per volume):
+---------------+----------------------------------------------------+
| Policy | Behavior |
+---------------+----------------------------------------------------+
| none | All data stays on SSD (default) |
| snapshot-only | Only snapshot-cold blocks tier (active FS on SSD) |
| auto | Both snapshot-cold and user-data-cold blocks tier |
| all | All data tiers immediately (archival volumes) |
+---------------+----------------------------------------------------+
Cooling period: configurable (default 31 days for "auto" policy)
Minimum cooling period: 2 days
Granularity: 4 KiB blocks (not entire files)FabricPool and Trident: When Trident provisions volumes on a FabricPool-enabled aggregate, the tiering policy can be set per StorageClass. This enables Kubernetes administrators to define tiering behavior declaratively -- e.g., a standard StorageClass with tiering-policy: auto for general workloads, and a performance StorageClass with tiering-policy: none for latency-sensitive databases.
2. WAFL & Data Services
WAFL Write Path
WAFL (Write Anywhere File Layout) is ONTAP's filesystem and the foundation of all ONTAP data services. Understanding the WAFL write path explains why ONTAP snapshots are zero-cost, why FlexClone is instant, and why ONTAP can sustain high write throughput with strong consistency guarantees.
WAFL Write Path
=================
Step 1: Client Write Arrives
Client (NFS/iSCSI/FC/NVMe-oF) --> ONTAP Controller
Step 2: Write to NVRAM (Non-Volatile RAM)
+------------------------------------------------------+
| Controller A |
| |
| Incoming Write |
| | |
| v |
| +----------+ mirrored +----------+ |
| | NVRAM | =================> | NVRAM | |
| | (Local) | (HA partner) | (Node B) | |
| +----------+ +----------+ |
| | |
| Write ACK returned to client |
| (data is now protected in 2x NVRAM) |
+------------------------------------------------------+
Step 3: Consistency Point (CP)
Periodically (every 10 seconds or when NVRAM is ~50% full),
ONTAP flushes accumulated writes to disk:
+------------------------------------------------------+
| |
| NVRAM (buffered writes from last CP interval) |
| | |
| v |
| WAFL "Write Anywhere" Allocation |
| - WAFL never overwrites existing blocks |
| - New data written to FREE blocks on disk |
| - Block pointers updated in new metadata blocks |
| - Old blocks retained (available for snapshots) |
| | |
| v |
| +--------------------------------------------------+
| | SSD / HDD (persistent media) |
| | |
| | Before CP: |
| | [A][B][C][D][free][free][free][free] |
| | |
| | After CP (write new B' and E): |
| | [A][B][C][D][B'][E][meta'][free] |
| | ^ ^ |
| | | | |
| | old B kept new B' written to free space |
| | (snapshot (WAFL never overwrites) |
| | reference) |
| +--------------------------------------------------+
| |
| After CP completes: |
| - NVRAM for this CP is released |
| - Active filesystem points to B' (new data) |
| - Snapshot (if exists) still points to B (old data)|
+------------------------------------------------------+
Step 4: Block Reclamation
Blocks are freed ONLY when:
- No active filesystem reference points to them AND
- No snapshot references point to them
This is why deleting snapshots frees space -- it releases
the hold on old block versions.Why "Write Anywhere" matters:
-
No write amplification from snapshots. Unlike COW (Copy-on-Write) filesystems that must read-old-copy-old-write-new for every overwrite after a snapshot, WAFL simply writes new data to free space. Snapshots add zero performance overhead to the write path -- they are purely a metadata operation that preserves old block pointers.
-
Sequential writes to SSDs. WAFL coalesces random client writes in NVRAM and flushes them as large sequential writes during consistency points. This write pattern is optimal for SSDs (reduces write amplification factor) and HDDs (avoids seek latency).
-
Crash consistency. If a controller crashes, recovery replays the NVRAM journal (which is battery-backed and mirrored to the HA partner). The filesystem is always consistent -- there is no
fsckequivalent in ONTAP.
Zero-Cost Snapshots
ONTAP snapshots are metadata-only point-in-time images. Creating a snapshot does not copy any data -- it simply locks the current set of block pointers so that WAFL's "write anywhere" mechanism preserves old blocks instead of freeing them.
ONTAP Snapshot Mechanism (WAFL Redirect-on-Write)
====================================================
Time T0: Create Snapshot "snap1"
Active FS: [A]-->[B]-->[C]-->[D]
snap1: [A]-->[B]-->[C]-->[D] (same pointers, zero copy)
Space used by snap1: 0 bytes (metadata only)
Time T1: Overwrite block B with B'
Active FS: [A]-->[B']-->[C]-->[D] (B' written to new location)
snap1: [A]-->[B]--->[C]-->[D] (still points to old B)
Space used by snap1: size of block B (only changed blocks)
Time T2: Overwrite block D with D'
Active FS: [A]-->[B']-->[C]-->[D']
snap1: [A]-->[B]--->[C]-->[D]
Space used by snap1: size of B + D
Time T3: Delete snap1
Blocks B and D are now unreferenced -> freed to WAFL free pool
Active FS: [A]-->[B']-->[C]-->[D'] (unchanged)Snapshot scheduling: ONTAP supports per-volume snapshot policies with configurable schedules (hourly, daily, weekly) and retention counts. A typical enterprise policy retains 6 hourly + 2 daily + 2 weekly snapshots per volume. Each snapshot consumes space only for blocks that have changed since the snapshot was taken.
Snapshot impact on capacity planning: For volumes with moderate change rates (5-10% daily), maintaining 6 hourly + 2 daily + 2 weekly snapshots typically consumes 15-30% additional capacity. ONTAP's volume show-space command provides per-snapshot space accounting. The snapshot-reserve parameter on each volume allocates dedicated space for snapshots (default 5%; should be increased for high-churn volumes).
FlexClone
FlexClone creates a writable copy of a FlexVolume or LUN in seconds, regardless of size. The clone shares all data blocks with the parent -- only blocks modified after cloning consume additional space.
Mechanism: FlexClone creates a new volume whose block map is a copy-on-write reference to the parent volume's blocks at the moment of cloning. This is a metadata operation -- no data is copied. A 10 TiB volume clones in under 1 second. Clones are fully independent writable volumes that can be snapshotted, replicated, and resized independently.
Trident integration: When Kubernetes creates a PVC from a VolumeSnapshot or requests a clone, Trident calls ONTAP's FlexClone API. This makes Kubernetes volume cloning near-instantaneous for ONTAP-backed PVCs, compared to data-copy cloning in Ceph RBD (which must copy all data blocks).
SnapMirror Replication
SnapMirror is ONTAP's native replication engine. It replicates data at the volume level using incremental block-level transfers based on snapshots.
SnapMirror Replication Topology
==================================
Site A (Primary) Site B (DR)
+------------------------+ +------------------------+
| Cluster: ontap-prod-zh | | Cluster: ontap-dr-be |
| | | |
| SVM: svm-prod | | SVM: svm-dr |
| | | |
| vol_nfs_ds01 (RW) | --------> | vol_nfs_ds01_dr (DP) |
| vol_iscsi_db (RW) | --------> | vol_iscsi_db_dr (DP) |
| vol_cifs_share (RW) | --------> | vol_cifs_share_dr (DP) |
| | SM Async | |
| vol_trading (RW) | ========> | vol_trading_dr (DP) |
| | SM Sync | |
+------------------------+ +------------------------+
| |
| SnapMirror transfer uses | Destination volumes
| snapshots as baseline: | are read-only (DP type)
| | until relationship is
| 1. Create snapshot on source | broken for failover.
| 2. Transfer changed blocks since |
| last common snapshot |
| 3. Apply to destination |
| 4. Update destination snapshot |
SnapMirror Modes:
+------------------+--------+--------+------------------------------+
| Mode | RPO | Latency| Use Case |
+------------------+--------+--------+------------------------------+
| Async | 5-60min| None | General DR, bulk replication |
| Sync | 0 | +1-2ms | Zero-data-loss DR (< 100km) |
| SM-BC | 0 | +1-2ms | Active-active metro cluster |
| (Business | | | (automatic transparent |
| Continuity) | | | failover, both sites serve |
| | | | I/O simultaneously) |
+------------------+--------+--------+------------------------------+Consistency Groups (CG): For multi-volume applications (e.g., a database with data on vol_data and logs on vol_log), SnapMirror Consistency Groups ensure that all volumes in the group are replicated atomically. The destination site receives a crash-consistent point-in-time image across all volumes in the CG. This is essential for applications that span multiple ONTAP volumes.
SnapMirror Consistency Group
==============================
Source Cluster Destination Cluster
+---------------------------+ +---------------------------+
| Consistency Group: "app1" | | CG: "app1_dr" |
| | | |
| vol_app1_data (10 TiB) | ------> | vol_app1_data_dr |
| vol_app1_log (500 GiB) | ------> | vol_app1_log_dr |
| vol_app1_config (10 GiB) | ------> | vol_app1_config_dr |
| | | |
| All 3 volumes snapshotted | | All 3 volumes consistent |
| atomically at same CP | | at same point in time |
+---------------------------+ +---------------------------+
Without CG: vol_data replicated at T1, vol_log at T2 -> inconsistent
With CG: all volumes replicated at T1 atomically -> consistentSnapMirror and Trident: Trident can provision volumes that are SnapMirror-protected. When combined with Trident Protect (formerly Astra Control), Kubernetes administrators can define replication policies that leverage SnapMirror under the hood, enabling DR for Kubernetes workloads with ONTAP-native RPO/RTO guarantees.
SnapVault (Long-Term Retention)
SnapVault is a variant of SnapMirror optimized for long-term backup retention. While SnapMirror maintains a mirror (same snapshot schedule as source), SnapVault applies a different, longer retention policy at the destination. Typical use: source retains 6 hourly + 2 daily snapshots; SnapVault destination retains 30 daily + 12 monthly + 7 yearly snapshots on lower-cost FAS/HDD storage.
MetroCluster
MetroCluster provides automatic disaster recovery across two sites (up to 300 km apart) using synchronous mirroring of NVRAM and disk writes. Unlike SnapMirror (which replicates at the volume level), MetroCluster mirrors at the aggregate level, including all ONTAP metadata. Failover is automatic (unplanned) or orchestrated (planned), providing RPO=0 and RTO < 120 seconds. MetroCluster is the strongest DR solution ONTAP offers but requires dedicated infrastructure (ISL links, ATTO mediators, or Tiebreaker software).
Deduplication, Compression, and TSSE
ONTAP provides three inline storage efficiency technologies that reduce physical capacity consumption:
| Technology | How It Works | Savings | Overhead |
|---|---|---|---|
| Inline dedup | Fingerprints 4 KiB blocks using SHA-256; stores only unique blocks. Volume-scoped (cross-volume dedup via aggregate-level dedup for AFF). | 20-60% for VDI/VM workloads with shared OS images | Negligible on AFF (hardware-assisted); moderate on FAS |
| Inline compression | Compresses 8 KiB compression groups using LZW/LZ4 before writing to disk. Adaptive -- skips already-compressed data. | 30-50% for databases, logs, general workloads | Negligible on AFF; measurable on FAS HDD workloads |
| TSSE (Temperature-Sensitive Storage Efficiency) | Background process that recompresses cold data with a more aggressive algorithm (32 KiB groups) for higher compression ratios, while hot data uses fast inline compression. | Additional 5-15% over inline compression | Background, low priority, AFF only |
Combined savings: For a typical enterprise mixed workload (VMs, databases, file shares), ONTAP AFF systems routinely achieve 3:1 to 5:1 data reduction ratios. NetApp offers an efficiency guarantee program for AFF/ASA systems.
Encryption (NSE / NAE / NVE + KMIP)
ONTAP provides three layers of encryption-at-rest, satisfying FINMA requirements for data-at-rest protection:
| Layer | Scope | Mechanism | Key Management |
|---|---|---|---|
| NSE (NetApp Storage Encryption) | Self-encrypting drive (SED) | AES-256 in drive firmware | Drive-level authentication keys, managed by ONTAP or external KMIP |
| NVE (NetApp Volume Encryption) | Per-volume | AES-256-XTS in WAFL, software-based | ONTAP Onboard Key Manager (OKM) or external KMIP server (Thales, Gemalto, Vormetric) |
| NAE (NetApp Aggregate Encryption) | Per-aggregate (all volumes inherit) | AES-256-XTS in WAFL, software-based | Same as NVE |
Defense in depth: NSE protects against physical drive theft. NVE/NAE protects against theft of entire disk shelves (data is encrypted before it reaches the drive). For FINMA compliance, deploying both NSE + NVE (double encryption) with keys managed by an external KMIP server is the recommended configuration.
KMIP integration: External key managers (Thales CipherTrust, IBM SKLM, Fortanix) store encryption keys outside the ONTAP cluster. This satisfies regulatory requirements for key-data separation and enables centralized key lifecycle management (rotation, revocation, audit).
3. Protocol Support (Unified Storage)
ONTAP is a unified storage platform -- it serves block, file, and object protocols simultaneously from the same hardware. This is a differentiator against purpose-built SAN arrays (which only serve block) and NAS filers (which only serve file).
| Protocol | Version / Variant | ONTAP Capabilities | Primary Consumer in This Evaluation |
|---|---|---|---|
| NFS | v3, v4.0, v4.1 (pNFS) | FlexFiles layout for pNFS, Kerberos auth, export policies per-client, 64-bit file IDs | VMware NFS datastores (current), Trident ontap-nas backend (OVE) |
| iSCSI | RFC 7143 | ALUA multipath, CHAP auth, portsets, igroups, LUN masking, selective LUN mapping | VMware VMFS datastores (current), Trident ontap-san backend (OVE), Azure Local iSCSI LUNs |
| FC | 32 Gbit FC | ALUA multipath, zoning integration, portsets, FCP LIF per-SVM | VMware FC datastores (current), limited K8s use |
| NVMe-oF | NVMe/FC, NVMe/TCP | ANA (Asymmetric Namespace Access), subsystems, namespaces | Trident ontap-san backend with NVMe/TCP (OVE, emerging) |
| SMB | 3.0, 3.1.1 | Continuous availability (CA) shares, ODX (offloaded data transfer), ABE, VSS | Azure Local SMB consumption, Windows VM file shares |
| S3 | Native ONTAP S3 | Bucket versioning, IAM policies, WORM (object lock), multi-tenancy per SVM | FabricPool target, backup target, log archive |
NFS with pNFS FlexFiles
ONTAP 9.8+ supports pNFS (Parallel NFS, RFC 5661) with the FlexFiles layout. pNFS allows NFS clients to read and write data directly to the data-serving node rather than routing all I/O through a single metadata server. In ONTAP's FlexFiles implementation, the metadata server (MDS) provides layout information that tells the client which node and LIF to contact for each file's data. This distributes I/O across multiple nodes, eliminating the single-node bottleneck of traditional NFS.
Relevance: When Trident provisions an NFS PVC, the data can be served by any node in the cluster that has the aggregate hosting the volume. pNFS FlexFiles ensures that multiple Kubernetes nodes can access the NFS volume with parallelized I/O paths.
iSCSI with ALUA
ONTAP implements ALUA (Asymmetric Logical Unit Access) for iSCSI multipath. Each LUN has an owning node (optimized paths) and non-owning nodes (non-optimized paths). The host's multipath software (dm-multipath on Linux, MPIO on Windows) uses ALUA target port group information to prefer optimized paths while keeping non-optimized paths as standby for failover.
iSCSI ALUA Multipath (ONTAP HA Pair)
=======================================
Linux Host (dm-multipath)
+------------------------------------+
| /dev/dm-0 (multipath device) |
| |
| Path 1: 10.2.1.10 -> Node A | Active/Optimized (A/O)
| Path 2: 10.2.1.11 -> Node A | Active/Optimized (A/O)
| Path 3: 10.2.2.10 -> Node B | Active/Non-Optimized (A/N)
| Path 4: 10.2.2.11 -> Node B | Active/Non-Optimized (A/N)
| |
| Policy: round-robin among A/O |
| Failover: promote A/N if A/O fail |
+------------------------------------+
Node A owns the LUN -> paths to Node A are A/O
Node B is HA partner -> paths to Node B are A/N
I/O to A/N paths is proxied through Node B to Node A (additional hop)
If Node A fails:
- LUN ownership moves to Node B (HA takeover)
- Node B paths become A/O
- Failover is transparent to the host (ALUA RTPG update)NVMe-oF (NVMe/FC and NVMe/TCP)
ONTAP 9.12+ supports NVMe/TCP, which carries NVMe commands over standard TCP/IP without requiring specialized hardware (unlike NVMe/FC which requires FC HBAs). NVMe-oF provides significantly lower latency and higher IOPS than iSCSI because it eliminates the SCSI translation layer and uses NVMe's native multiqueue architecture.
Trident and NVMe/TCP: Trident 24.02+ supports ontap-san backends with the nvme sanType. This enables Kubernetes PVCs backed by ONTAP NVMe namespaces accessed over TCP. For latency-sensitive KubeVirt VMs (databases, trading systems), NVMe/TCP provides the lowest latency path from a VM's virtio-blk device to ONTAP storage.
4. Trident CSI Driver
This is the most critical section for the OVE evaluation. Trident is NetApp's open-source CSI driver for Kubernetes. It translates Kubernetes PVC requests into ONTAP volume/LUN provisioning operations and maps Kubernetes VolumeSnapshots to ONTAP snapshots. Trident is the bridge that allows OVE to consume existing ONTAP infrastructure without data migration.
Architecture
Trident CSI Architecture in OpenShift
=========================================
+------------------------------------------------------------------+
| OpenShift Cluster (OVE) |
| |
| TRIDENT OPERATOR (Deployment, 1 replica) |
| +------------------------------------------------------------+ |
| | trident-operator | |
| | - Watches TridentOrchestrator CR | |
| | - Deploys/upgrades Trident controller + node DaemonSet | |
| | - Manages CRDs (TridentBackend, TridentVolume, etc.) | |
| +------------------------------------------------------------+ |
| |
| TRIDENT CONTROLLER (Deployment, 2 replicas for HA) |
| +------------------------------------------------------------+ |
| | Pod: trident-controller-7b8f9d6c5-xxxxx | |
| | | |
| | +------------------+ +------------------+ +--------------+ | |
| | | trident-main | | csi-provisioner | | csi-attacher | | |
| | | (controller svc) | | (sidecar) | | (sidecar) | | |
| | | - CreateVolume | | - Watches PVCs | | - Watches | | |
| | | - DeleteVolume | | - Calls CSI | | VolumeAtt | | |
| | | - CreateSnapshot | | CreateVolume | | resources | | |
| | | - ExpandVolume | | | | | | |
| | +------------------+ +------------------+ +--------------+ | |
| | | |
| | +-----------------+ +-------------------+ | |
| | | csi-snapshotter | | csi-resizer | | |
| | | (sidecar) | | (sidecar) | | |
| | | - Watches | | - Watches PVC | | |
| | | VolumeSnapshot| resize requests | | |
| | | CRs | | - Calls CSI | | |
| | | - Calls CSI | | ExpandVolume | | |
| | | CreateSnapshot| | | | |
| | +-----------------+ +-------------------+ | |
| +------------------------------------------------------------+ |
| |
| TRIDENT NODE (DaemonSet, 1 pod per worker node) |
| +------------------------------------------------------------+ |
| | Pod: trident-node-linux-xxxxx (on each node) | |
| | | |
| | +------------------+ +-------------------+ | |
| | | trident-main | | node-driver- | | |
| | | (node service) | | registrar | | |
| | | - NodeStageVol | | (sidecar) | | |
| | | - NodePublishVol | | - Registers CSI | | |
| | | - Mount/format | | driver with | | |
| | | - iSCSI login | | kubelet | | |
| | | - NFS mount | | | | |
| | +------------------+ +-------------------+ | |
| +------------------------------------------------------------+ |
| |
| COMMUNICATION FLOW: |
| PVC created --> csi-provisioner sidecar watches --> |
| calls trident-main CreateVolume via gRPC UDS --> |
| trident-main calls ONTAP REST API (or ZAPI) --> |
| ONTAP creates FlexVolume/LUN/Qtree --> |
| trident-main returns volume ID to csi-provisioner --> |
| PV created and bound to PVC |
+------------------------------------------------------------------+
| |
| ONTAP REST API | NFS/iSCSI/NVMe-oF
| (HTTPS, port 443) | (data path)
v v
+------------------------------------------------------------------+
| ONTAP Cluster |
| SVM: svm-k8s-trident |
| - Management LIF: 10.1.3.10 (Trident control plane) |
| - NFS LIFs: 10.1.3.11-14 (data path) |
| - iSCSI LIFs: 10.2.3.11-14 (data path) |
+------------------------------------------------------------------+Backend Configuration
A Trident backend defines the connection to a specific ONTAP SVM and the provisioning parameters. Multiple backends can connect to the same SVM with different settings (e.g., one for NFS, one for iSCSI, one for economy mode).
Backend Type: ontap-nas (FlexVolume per PVC via NFS)
Each PVC gets its own ONTAP FlexVolume, exported via NFS. This is the most feature-rich backend -- it supports snapshots, clones, volume expansion, QoS, tiering policies, and SnapMirror. The trade-off is that each PVC creates a full FlexVolume, and ONTAP has a per-node FlexVolume limit (typically 1,000-12,500 depending on controller model).
# trident-backend-nas.yaml
apiVersion: trident.netapp.io/v1
kind: TridentBackendConfig
metadata:
name: ontap-nas-prod
namespace: trident
spec:
version: 1
storageDriverName: ontap-nas
backendName: ontap-nas-prod
managementLIF: 10.1.3.10
dataLIF: 10.1.3.11
svm: svm-k8s-trident
credentials:
name: ontap-credentials # Secret with username/password
storage:
- labels:
performance: premium
defaults:
spaceReserve: none # Thin provisioning
snapshotPolicy: default # 6 hourly + 2 daily + 2 weekly
snapshotReserve: "10"
exportPolicy: trident # NFS export policy on ONTAP
securityStyle: unix
tieringPolicy: none # Keep on SSD (performance tier)
unixPermissions: "0777"
snapshotDir: "true" # Expose .snapshot directory
- labels:
performance: standard
defaults:
spaceReserve: none
snapshotPolicy: default
snapshotReserve: "20"
tieringPolicy: auto # Tier cold data to object store
encryption: "true" # NVE encryption per-volume
autoExportPolicy: true # Auto-manage NFS export policies
nfsMountOptions: "nfsvers=4.1,rsize=65536,wsize=65536,hard,timeo=600"Backend Type: ontap-san (LUN per PVC via iSCSI or NVMe/TCP)
Each PVC gets its own ONTAP LUN inside a FlexVolume, accessed via iSCSI or NVMe/TCP. Block access provides lower latency than NFS for random IOPS workloads (databases). The LUN is formatted with a filesystem (ext4/XFS) by the Trident node plugin, or presented as a raw block device.
# trident-backend-san.yaml
apiVersion: trident.netapp.io/v1
kind: TridentBackendConfig
metadata:
name: ontap-san-prod
namespace: trident
spec:
version: 1
storageDriverName: ontap-san
backendName: ontap-san-prod
managementLIF: 10.1.3.10
svm: svm-k8s-trident
credentials:
name: ontap-credentials
useCHAP: true # Enable CHAP authentication
chapInitiatorSecret:
name: chap-initiator-secret # Secret with CHAP credentials
igroupName: trident # iSCSI initiator group
storage:
- labels:
performance: block-premium
defaults:
spaceAllocation: "true" # SCSI thin provisioning (UNMAP support)
spaceReserve: none
snapshotPolicy: default
tieringPolicy: none
encryption: "true"
# For NVMe/TCP instead of iSCSI:
# sanType: nvmeBackend Type: ontap-nas-economy (Qtree per PVC, shared FlexVolume)
Multiple PVCs share a single ONTAP FlexVolume via qtrees. Each PVC gets its own qtree (sub-directory with independent quota) inside a shared volume. This dramatically reduces the number of FlexVolumes consumed, enabling environments with thousands of small PVCs. The trade-off: qtrees do not support individual snapshots or FlexClone -- snapshots and clones operate at the volume level (affecting all qtrees in the volume).
# trident-backend-economy.yaml
apiVersion: trident.netapp.io/v1
kind: TridentBackendConfig
metadata:
name: ontap-nas-economy
namespace: trident
spec:
version: 1
storageDriverName: ontap-nas-economy
backendName: ontap-nas-economy
managementLIF: 10.1.3.10
dataLIF: 10.1.3.12
svm: svm-k8s-trident
credentials:
name: ontap-credentials
storage:
- labels:
tier: economy
defaults:
spaceReserve: none
snapshotPolicy: none # Snapshots at volume level, not qtree
exportPolicy: trident
securityStyle: unix
qtreesPerFlexvol: "200" # Max qtrees (PVCs) per FlexVolumeBackend comparison for KubeVirt VMs:
| Aspect | ontap-nas | ontap-san (iSCSI) | ontap-san (NVMe/TCP) | ontap-nas-economy |
|---|---|---|---|---|
| PVC-to-ONTAP mapping | 1 PVC = 1 FlexVolume | 1 PVC = 1 LUN in 1 FlexVol | 1 PVC = 1 NVMe namespace | 1 PVC = 1 Qtree in shared FlexVol |
| Access mode | RWX (ReadWriteMany) | RWO (ReadWriteOnce) | RWO (ReadWriteOnce) | RWX (ReadWriteMany) |
| Snapshot granularity | Per-PVC (ONTAP snapshot) | Per-PVC (ONTAP snapshot) | Per-PVC (ONTAP snapshot) | Per-volume (all qtrees) |
| FlexClone support | Yes (instant clone) | Yes (instant clone) | Yes (instant clone) | No (data copy) |
| Latency (4K random read) | 0.5-2 ms (NFS overhead) | 0.3-1 ms | 0.1-0.5 ms | 0.5-2 ms (NFS overhead) |
| Max PVCs per backend | ~1,000-12,500 (FlexVol limit) | ~1,000-12,500 | ~1,000-12,500 | ~200,000+ (200 qtrees x 1,000 FlexVols) |
| Live migration (KubeVirt) | Yes (RWX) | No (RWO, requires block migration) | No (RWO, requires block migration) | Yes (RWX) |
| Best for | General VMs, live migration | Database VMs, latency-sensitive | Ultra-low-latency VMs | Config volumes, small PVCs at scale |
Critical KubeVirt consideration -- RWX for live migration: KubeVirt live migration requires the VM's disk PVC to be accessible from both the source and destination nodes simultaneously during migration. This requires ReadWriteMany (RWX) access mode, which only NFS-based backends (ontap-nas, ontap-nas-economy) support. iSCSI and NVMe/TCP LUNs are ReadWriteOnce (RWO) -- they can only be mounted on one node at a time. With RWO PVCs, KubeVirt must use "block migration" (copy the disk data over the network to the destination node), which is significantly slower than shared-storage live migration.
Recommendation for KubeVirt: Use ontap-nas for VM boot disks that require live migration. Use ontap-san (iSCSI or NVMe/TCP) for database data volumes where latency matters more than live migration speed. This mirrors the VMware pattern of NFS datastores for general VMs and iSCSI/FC LUNs for performance-critical databases.
StorageClass Mapping
StorageClasses are how Kubernetes administrators expose ONTAP backend capabilities to PVC consumers. Each StorageClass maps to a specific backend (or set of backends) with specific parameters.
# storageclass-ontap-premium.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: ontap-premium
provisioner: csi.trident.netapp.io
parameters:
backendType: "ontap-nas"
selector: "performance=premium"
fsType: "nfs" # NFS for RWX support
snapshotDir: "true"
allowVolumeExpansion: true
reclaimPolicy: Retain # Keep ONTAP volume on PVC deletion
volumeBindingMode: Immediate
mountOptions:
- nfsvers=4.1
- hard
- rsize=65536
- wsize=65536
---
# storageclass-ontap-block.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: ontap-block-premium
provisioner: csi.trident.netapp.io
parameters:
backendType: "ontap-san"
selector: "performance=block-premium"
fsType: "xfs"
allowVolumeExpansion: true
reclaimPolicy: Retain
volumeBindingMode: Immediate
---
# storageclass-ontap-economy.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: ontap-economy
provisioner: csi.trident.netapp.io
parameters:
backendType: "ontap-nas-economy"
selector: "tier=economy"
allowVolumeExpansion: true
reclaimPolicy: Delete
volumeBindingMode: ImmediateMapping VMware SPBM policies to Kubernetes StorageClasses:
| VMware SPBM Policy | Kubernetes StorageClass | Trident Backend | ONTAP Tier |
|---|---|---|---|
| Gold (NFS, all-flash, snap every 1h) | ontap-premium |
ontap-nas (performance=premium) |
AFF A-Series, tiering=none |
| Silver (NFS, auto-tier, snap every 4h) | ontap-standard |
ontap-nas (performance=standard) |
AFF A-Series, tiering=auto |
| Bronze (NFS, capacity-optimized) | ontap-economy |
ontap-nas-economy (tier=economy) |
AFF C-Series or FAS |
| Block-Gold (iSCSI, all-flash) | ontap-block-premium |
ontap-san (performance=block-premium) |
AFF A-Series, tiering=none |
Volume Provisioning Flow
End-to-end flow when a KubeVirt VM requests a disk:
Volume Provisioning Flow (KubeVirt VM -> ONTAP via Trident)
==============================================================
1. VM Definition Created
apiVersion: kubevirt.io/v1
kind: VirtualMachine
spec:
template:
spec:
volumes:
- name: rootdisk
dataVolume:
name: vm-rhel9-boot
dataVolumeTemplates:
- metadata:
name: vm-rhel9-boot
spec:
storage:
storageClassName: ontap-premium <-- selects ONTAP backend
resources:
requests:
storage: 50Gi
2. CDI (Containerized Data Importer) creates PVC
PVC "vm-rhel9-boot" with storageClassName: ontap-premium
3. csi-provisioner sidecar (in trident-controller pod)
detects unbound PVC, calls Trident CreateVolume gRPC
4. Trident controller:
a. Selects backend "ontap-nas-prod" (matches backendType + selector)
b. Calls ONTAP REST API: POST /api/storage/volumes
- SVM: svm-k8s-trident
- Aggregate: auto-selected (or specified)
- Size: 50 GiB (thin-provisioned)
- Snapshot policy: default
- Export policy: trident (auto-managed)
- Junction path: /trident_pvc_<uuid>
c. ONTAP creates FlexVolume, returns volume UUID
5. Trident creates PV object with:
- CSI volume handle = ONTAP volume UUID
- NFS mount point = dataLIF:/<junction-path>
- Access mode: ReadWriteMany
PV bound to PVC
6. CDI imports disk image into PVC (NFS write to ONTAP volume)
7. VM starts, KubeVirt creates virt-launcher pod:
- Pod requests PVC "vm-rhel9-boot"
- kubelet calls Trident NodePublishVolume
- Trident node plugin mounts NFS share into pod
- KubeVirt presents the disk image to the VM via virtioVolumeSnapshot and Clone
Trident maps Kubernetes VolumeSnapshots to ONTAP native snapshots and PVC clones to ONTAP FlexClone.
# Create a VolumeSnapshot of a VM disk
apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshot
metadata:
name: vm-rhel9-snap-20260428
spec:
volumeSnapshotClassName: ontap-snapshot
source:
persistentVolumeClaimName: vm-rhel9-boot
---
# VolumeSnapshotClass for ONTAP
apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshotClass
metadata:
name: ontap-snapshot
driver: csi.trident.netapp.io
deletionPolicy: RetainWhat happens under the hood:
csi-snapshottersidecar detects VolumeSnapshot CR, calls TridentCreateSnapshotgRPC- Trident calls ONTAP REST API:
POST /api/storage/volumes/{uuid}/snapshotswith namesnapshot-<uuid> - ONTAP creates a WAFL snapshot in ~1 second (metadata-only, zero data copy)
- Trident creates VolumeSnapshotContent bound to VolumeSnapshot
- Kubernetes reports snapshot as
readyToUse: true
Creating a VM clone from a snapshot:
# Clone a VM by creating a PVC from a VolumeSnapshot
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vm-rhel9-clone
spec:
storageClassName: ontap-premium
dataSource:
name: vm-rhel9-snap-20260428
kind: VolumeSnapshot
apiGroup: snapshot.storage.k8s.io
accessModes:
- ReadWriteMany
resources:
requests:
storage: 50GiWhat happens under the hood:
csi-provisionerdetects PVC withdataSourcereferencing a VolumeSnapshot- Trident calls ONTAP FlexClone API: creates a new FlexVolume from the snapshot
- FlexClone completes in ~1 second regardless of volume size (10 GiB or 10 TiB -- identical speed)
- The clone shares all data blocks with the parent; only new writes consume additional space
- A 50 GiB VM boot disk clone consumes ~0 bytes initially, growing only as the clone diverges
Comparison with Ceph RBD cloning: Ceph RBD clone also uses COW semantics but operates at the RADOS object level. For very large volumes (multi-TiB), ONTAP FlexClone is faster because it is a single metadata operation at the FlexVolume level, whereas Ceph must create COW references for each RBD object (4 MiB default). In practice, both are fast enough for VM cloning -- but ONTAP's clone has zero performance overhead on the parent, while Ceph clones with many layers can develop read amplification from deep clone chains.
Volume Import for Migration
Trident's volume import feature enables importing existing ONTAP volumes into Kubernetes without data copy. This is a critical migration capability: ONTAP volumes currently serving as VMware NFS datastores or iSCSI LUNs can be imported into Kubernetes as PVs, making the data immediately available to KubeVirt VMs.
Volume Import -- Migration from VMware to OVE
================================================
Before Migration:
+------------------+ +------------------+
| VMware vCenter | | ONTAP Cluster |
| | | |
| ESXi Host | NFS | FlexVol: |
| +-------+ | mount | vol_nfs_ds01 |
| | VM-01 | -------|-------->| (NFS datastore) |
| +-------+ | | |
| | VM-02 | | | Contains: |
| +-------+ | | VM-01.vmdk |
+------------------+ | VM-02.vmdk |
+------------------+
After Migration (using Trident volume import):
+------------------+ +------------------+
| OpenShift (OVE) | | ONTAP Cluster |
| | | |
| KubeVirt | NFS | FlexVol: |
| +-------+ | mount | vol_nfs_ds01 |
| | VM-01 | -------|-------->| (same volume, |
| +-------+ | | now a K8s PV) |
| | | |
| PV bound to PVC | | Renamed to: |
| "vm-01-boot" | | trident_pvc_<id> |
+------------------+ +------------------+
No data copy. No downtime for the data.
Only the volume's junction path and export policy are updated.Import command:
# Import an existing ONTAP NFS volume into Kubernetes
tridentctl import volume ontap-nas-prod vol_nfs_ds01 \
-f pvc-import.yaml --no-manage
# pvc-import.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vm-imported-disk
namespace: vm-workloads
spec:
storageClassName: ontap-premium
accessModes:
- ReadWriteMany
resources:
requests:
storage: 100Gi--no-manage flag: When set, Trident imports the volume as a PV but does not manage its lifecycle. The ONTAP volume retains its original name, snapshot policy, and export configuration. This is useful for migration phases where VMware and OVE must coexist -- both can access the same ONTAP volume simultaneously (VMware via its NFS datastore mount, OVE via the Trident PV). When the VMware side is decommissioned, the --no-manage flag can be removed to give Trident full lifecycle control.
Migration workflow for 5,000+ VMs:
- Inventory: Catalog all ONTAP volumes serving VMware datastores. Map each VMDK to its hosting FlexVolume.
- Prepare SVM: Create a dedicated SVM (
svm-k8s-trident) or configure the existing SVM with LIFs accessible from the OpenShift nodes. - Deploy Trident: Install Trident operator and create backend configurations pointing to the SVM.
- Import volumes: Use
tridentctl import volumefor each ONTAP volume. This creates PVs without data movement. - Convert VM disks: Use MTV (Migration Toolkit for Virtualization) or manual processes to convert VMDKs to KubeVirt-compatible disk images (qcow2 or raw) within the imported PVs.
- Create VMs: Define KubeVirt VirtualMachine CRs referencing the imported PVCs.
- Validate and cut over: Run both environments in parallel during validation, then retire the VMware side.
NFS vs iSCSI vs NVMe/TCP Performance Comparison for KubeVirt
Performance characteristics when running KubeVirt VMs on ONTAP via Trident:
Protocol Performance Comparison (ONTAP AFF A800, 100 GbE)
===========================================================
Latency (4 KiB random read, queue depth 1):
NVMe/TCP: ~0.15 ms ████
iSCSI: ~0.40 ms ██████████
NFS v4.1: ~0.60 ms ███████████████
IOPS (4 KiB random read, queue depth 32, single volume):
NVMe/TCP: ~500K ██████████████████████████████████
iSCSI: ~200K ██████████████
NFS v4.1: ~150K ██████████
Throughput (128 KiB sequential read):
NVMe/TCP: ~10 GB/s ██████████████████████████████████
iSCSI: ~6 GB/s ████████████████████
NFS v4.1: ~5 GB/s █████████████████
Notes:
- NVMe/TCP eliminates SCSI translation overhead and uses
multiqueue I/O submission (per-CPU hardware queues)
- iSCSI adds SCSI CDB encoding/decoding + TCP overhead
- NFS adds RPC/XDR encoding + file-level locking overhead
- Real-world VM performance depends on guest I/O pattern,
virtio queue depth, and network configuration
- All protocols benefit from jumbo frames (MTU 9000)Recommendation matrix:
| VM Workload | Recommended Protocol | Reason |
|---|---|---|
| General application servers | NFS (ontap-nas) |
RWX for live migration, good enough latency, simplest operations |
| Database servers (Oracle, PostgreSQL, SQL Server) | iSCSI (ontap-san) or NVMe/TCP |
Lower latency for random IOPS, block access avoids NFS overhead |
| Latency-critical (trading, real-time) | NVMe/TCP (ontap-san, sanType: nvme) |
Lowest latency, highest IOPS, native multiqueue |
| High-density small VMs (dev, test) | NFS (ontap-nas-economy) |
Hundreds of PVCs sharing FlexVolumes, cost-efficient |
| Windows VMs needing shared folders | NFS or iSCSI for boot disk; in-guest SMB for shares | KubeVirt boot disk via Trident; application shares via ONTAP SMB |
Trident Protect
Trident Protect (the successor to NetApp Astra Control) provides application-aware data protection for Kubernetes workloads backed by ONTAP. While Trident handles volume provisioning and basic snapshots, Trident Protect adds:
- Application-aware snapshots: Quiesce application (e.g., freeze database, flush buffers) before triggering ONTAP snapshot via Trident, ensuring crash-consistent or application-consistent recovery points
- Application-aware replication: Orchestrate SnapMirror replication for multi-PVC applications, ensuring all PVCs in an application are replicated atomically (leveraging ONTAP Consistency Groups)
- DR failover/failback: Automate SnapMirror break, volume re-export, and application re-deployment at the DR site
- Application mobility: Move entire applications (PVCs + Kubernetes resources) between clusters using SnapMirror as the data transport
Trident Protect is deployed as a Kubernetes operator and defines CRDs for Application, Snapshot, Backup, Schedule, and ReplicationRelationship. It acts as the Kubernetes-native orchestration layer on top of ONTAP's existing data protection primitives.
5. ONTAP with VMware (Current State)
This section documents the current integration between ONTAP and VMware to establish the baseline -- what exists today, what works well, and what goes away when VMware is decommissioned.
NFS Datastores
The most common ONTAP-VMware integration. ONTAP FlexVolumes are exported via NFS v3 (or v4.1) and mounted as VMware NFS datastores. ESXi hosts mount the NFS export; vCenter manages VM placement across datastores.
Advantages of NFS datastores:
- Thin provisioning is native (ONTAP + VMFS thin)
- VAAI NAS (vStorage APIs for Array Integration) enables ONTAP-offloaded operations: full file clone (for VM clone), extended statistics, reserve space
- No LUN management (no LUN alignment, no VMFS formatting, no SCSI reservations)
- All ONTAP data services (snapshots, SnapMirror, dedup, compression) operate transparently on the datastore volume
VMFS on iSCSI/FC LUNs
ONTAP LUNs formatted with VMFS and presented to ESXi via iSCSI or FC. Used for workloads requiring lower latency than NFS (databases, latency-sensitive applications).
VAAI primitives for block:
- ATS (Atomic Test & Set): Lock-free VMFS metadata updates across ESXi hosts sharing the LUN
- XCOPY (Extended Copy): Offloaded data copy for Storage vMotion and VM cloning -- ONTAP performs the copy internally without data traversing the host
- Write Same / UNMAP: Zero-fill and space reclamation for thin-provisioned LUNs
ONTAP Tools for VMware (VASA / SRA / VSC)
ONTAP Tools is a vCenter plugin that provides three integrated components:
| Component | Function | Migration Impact |
|---|---|---|
| VSC (Virtual Storage Console) | Provisions and manages ONTAP datastores from vCenter GUI. Creates FlexVolumes, maps LUNs, configures multipath. | Goes away -- replaced by Trident for provisioning |
| VASA Provider (vStorage APIs for Storage Awareness) | Reports ONTAP storage capabilities to vCenter for SPBM (Storage Policy Based Management). Enables policy-driven VM placement (e.g., "Gold = AFF, snaps every 1h"). | Goes away -- replaced by Kubernetes StorageClasses |
| SRA (Storage Replication Adapter) | Integrates ONTAP SnapMirror with VMware Site Recovery Manager (SRM) for automated DR failover/failback. | Goes away -- replaced by Trident Protect or manual SnapMirror management |
SnapCenter
SnapCenter is NetApp's centralized backup and restore management platform. For VMware environments, the SnapCenter Plug-in for VMware vSphere provides:
- VM-consistent snapshots (with VMware Tools quiesce)
- Application-consistent snapshots for in-guest databases (Oracle, SQL Server, SAP HANA)
- SnapMirror/SnapVault integration for off-site backup
- Granular restore (individual VMDKs, individual files, individual database objects)
Migration impact: SnapCenter's VMware plugin loses relevance after migration. For OVE, application-consistent backup is handled by Trident Protect (which uses ONTAP snapshots and SnapMirror) or by third-party tools (Kasten K10 with ONTAP integration, Velero with CSI snapshots). SnapCenter's application plugins (Oracle, SQL Server) can still run inside KubeVirt VMs for in-guest backup orchestration.
What Goes Away After Migration
| VMware Component | ONTAP Counterpart | Post-Migration Replacement |
|---|---|---|
| vCenter datastore management | VSC (ONTAP Tools) | Trident backend + StorageClass YAML |
| SPBM policies | VASA Provider | Kubernetes StorageClasses with Trident selectors |
| VMware SRM | SRA + SnapMirror | Trident Protect + SnapMirror |
| VAAI (NAS clone, block XCOPY) | ONTAP offload engine | Trident FlexClone (equivalent), CSI clone |
| SnapCenter VMware plugin | SnapCenter server | Trident Protect, Kasten K10, or Velero |
| NFS datastore mounts | ONTAP NFS exports | Trident ontap-nas backend (same exports, different consumer) |
| VMFS on LUNs | ONTAP iSCSI/FC LUNs | Trident ontap-san backend (same LUN concepts, CSI-managed) |
Key insight: The ONTAP storage itself does not change. The same FlexVolumes, LUNs, snapshots, and SnapMirror relationships persist. What changes is the management layer -- from vCenter/VSC/VASA/SRA to Kubernetes/Trident/StorageClass/Trident Protect. The data services are identical; the orchestration is different.
6. ONTAP with Azure Local
Azure Local can consume ONTAP storage via two protocols: SMB 3.x shares and iSCSI LUNs. The integration is significantly thinner than the Trident/OVE path because Azure Local does not have a Kubernetes CSI driver for ONTAP -- it consumes ONTAP as raw infrastructure rather than through a declarative provisioning framework.
SMB Shares
Azure Local VMs (running on Hyper-V) can use ONTAP SMB 3.1.1 shares as storage locations for VHDX files. ONTAP's SMB Continuously Available (CA) shares provide transparent failover during ONTAP node maintenance.
Configuration: Create an SMB share on ONTAP SVM, join the SVM to Active Directory, grant Hyper-V computer accounts read/write access. Azure Local's storage stack (Storage Spaces Direct) remains the primary storage for VM boot disks; ONTAP SMB shares serve as secondary storage for application data, shared file systems, or user profile disks.
iSCSI LUNs
ONTAP iSCSI LUNs can be mapped to Azure Local hosts and used as Cluster Shared Volumes (CSVs) or passed through to individual VMs. This requires manual LUN provisioning, igroup configuration, MPIO setup on Windows Server, and CSV formatting.
Limitations vs Trident/OVE:
- No dynamic provisioning -- each LUN must be manually created on ONTAP and manually mapped to Azure Local
- No Kubernetes StorageClass abstraction -- storage tiering is managed manually
- No automated snapshot management via Kubernetes VolumeSnapshot -- snapshots are managed directly on ONTAP via SnapCenter or System Manager
- No FlexClone integration for VM cloning -- VM cloning uses Hyper-V's native VHDX copy mechanism
- No volume import capability -- migrating data to/from ONTAP requires manual data copy
SnapMirror to Azure NetApp Files (ANF)
For Azure Local environments with Azure cloud connectivity, ONTAP on-premises can replicate volumes to Azure NetApp Files (ANF) in Azure using SnapMirror. This provides a cloud-based DR tier managed entirely within the NetApp ecosystem. ANF supports NFS, SMB, and iSCSI protocols, enabling cloud-based DR for Azure Local workloads.
Maturity Assessment
| Capability | OVE (Trident) | Azure Local |
|---|---|---|
| Dynamic provisioning | Full (CSI CreateVolume) | Manual (PowerShell/GUI) |
| Storage tiering via policy | StorageClass parameters | Manual volume placement |
| Snapshot integration | K8s VolumeSnapshot -> ONTAP snapshot | SnapCenter only (no K8s integration) |
| Clone integration | K8s PVC clone -> FlexClone | Manual VHDX copy |
| Volume import (migration) | tridentctl import (no data copy) |
Manual data migration |
| DR orchestration | Trident Protect + SnapMirror | SnapCenter + SRM equivalent (limited) |
| QoS per-PVC | Trident adaptive QoS policies | Manual QoS on ONTAP volumes |
| Encryption per-volume | NVE via backend config | NVE via ONTAP management |
| Operational model | Declarative YAML, GitOps-compatible | Imperative PowerShell/GUI |
Verdict: ONTAP integration with OVE via Trident is a generation ahead of ONTAP integration with Azure Local. Trident provides a declarative, Kubernetes-native control plane over ONTAP's full data services stack. Azure Local's consumption of ONTAP is functionally equivalent to what any Windows Server has been doing for 15 years -- SMB shares and iSCSI LUNs managed manually. This does not mean Azure Local cannot use ONTAP effectively, but it lacks the automated provisioning, lifecycle management, and data protection orchestration that Trident provides.
How the Candidates Consume ONTAP
| Aspect | VMware (Current) | OVE (Trident CSI) | Azure Local | Swisscom ESC |
|---|---|---|---|---|
| Provisioning model | vCenter GUI + VSC plugin | Kubernetes PVC -> Trident -> ONTAP REST API (fully automated) | Manual PowerShell / Azure Portal | Managed by Swisscom (customer has no ONTAP access) |
| Primary protocol | NFS v3 (datastores), iSCSI/FC (VMFS LUNs) | NFS v4.1 (ontap-nas), iSCSI (ontap-san), NVMe/TCP (emerging) |
SMB 3.x (shares), iSCSI (LUNs) | N/A (VxBlock backend, not ONTAP) |
| Storage tiering | SPBM policies via VASA Provider | Kubernetes StorageClasses with backend selectors and FabricPool tiering | Manual volume placement on aggregates | Managed tiers (customer selects Gold/Silver/Bronze) |
| Snapshots | ONTAP snapshots via SnapCenter VMware plugin | K8s VolumeSnapshot -> ONTAP native snapshots (sub-second, zero-cost) | ONTAP snapshots via SnapCenter (no K8s integration) | Managed by Swisscom |
| Clones | VAAI full file clone (offloaded) | K8s PVC clone -> ONTAP FlexClone (instant, space-efficient) | Manual VHDX copy (minutes to hours) | Managed by Swisscom |
| Replication / DR | SnapMirror + SRM via SRA | SnapMirror + Trident Protect (K8s-native DR orchestration) | SnapMirror + manual failover or SnapCenter | Managed by Swisscom |
| Volume migration | Storage vMotion (XCOPY offloaded) | tridentctl import (zero-copy import of existing volumes) |
Manual data migration | Not applicable |
| QoS | ONTAP adaptive QoS via VSC | Per-StorageClass adaptive QoS via Trident | Manual QoS via ONTAP CLI/GUI | Managed by Swisscom |
| Encryption | NVE/NAE per-volume/aggregate | NVE per-volume via Trident backend config | NVE per-volume via ONTAP management | Managed by Swisscom |
| Operational model | GUI-driven (vCenter + ONTAP Tools) | Declarative YAML, GitOps, CI/CD pipelines | Imperative PowerShell + ONTAP System Manager | Fully managed (API/portal) |
| Live migration | vMotion (NFS seamless, VMFS requires shared LUN) | KubeVirt live migration (NFS seamless, iSCSI requires block migration) | Hyper-V live migration (SMB seamless, iSCSI requires shared CSV) | Managed by Swisscom |
| Maturity | 15+ years of deep integration | 5+ years (Trident GA since 2020), rapidly maturing | Basic (standard Windows Server ONTAP consumption) | N/A (different storage backend) |
Key Takeaways
-
ONTAP is the storage constant. Regardless of which IaaS platform wins, the organization's ONTAP clusters, FlexVolumes, SnapMirror relationships, and data services persist. The investment in ONTAP hardware, licensing, operations knowledge, and data protection workflows is not lost -- it is re-consumed through a different management layer.
-
Trident is the critical integration point for OVE. Trident transforms ONTAP from "external storage accessed via mount commands" into "Kubernetes-native storage provisioned via PVCs." Every ONTAP data service -- snapshots, FlexClone, SnapMirror, QoS, encryption, FabricPool tiering -- is exposed through Kubernetes-native abstractions (StorageClass, VolumeSnapshot, PVC clone). This is not a thin wrapper; it is a full CSI implementation that leverages ONTAP's API surface.
-
Volume import eliminates data migration for OVE. Existing ONTAP volumes currently serving VMware datastores can be imported into Kubernetes via
tridentctl import volumewithout any data copy. This dramatically reduces migration risk, downtime, and complexity. The data stays where it is; only the management plane changes. -
NFS is the recommended protocol for KubeVirt general workloads. NFS (
ontap-nasbackend) provides ReadWriteMany access, enabling seamless KubeVirt live migration without block-level disk copy. This mirrors the VMware pattern where NFS datastores are preferred for general VMs because they enable vMotion without Storage vMotion. -
iSCSI and NVMe/TCP are for latency-sensitive workloads. Database VMs and latency-critical applications should use
ontap-sanbackends. NVMe/TCP is the emerging high-performance path, offering 2-4x lower latency than iSCSI. The trade-off is RWO access (no seamless live migration). -
Azure Local's ONTAP consumption is rudimentary. Azure Local can use ONTAP via SMB and iSCSI, but without dynamic provisioning, Kubernetes-native snapshot/clone integration, or automated DR orchestration. Every ONTAP operation is manual or requires SnapCenter -- there is no declarative, API-driven provisioning layer equivalent to Trident.
-
WAFL is why ONTAP snapshots and clones are free. WAFL's "write anywhere" design means snapshots add zero performance overhead to the write path, and FlexClone creates writable copies in under 1 second regardless of volume size. These capabilities are exposed to Kubernetes through Trident's VolumeSnapshot and PVC clone support, making ONTAP-backed Kubernetes storage operationally superior to solutions requiring data-copy snapshots or clones.
-
SVM isolation is a best practice for Trident. Creating a dedicated SVM for Kubernetes (
svm-k8s-trident) isolates Kubernetes-provisioned volumes from VMware-consumed volumes. This enables independent QoS policies, RBAC, network segmentation, and prevents namespace collisions during the migration period when both VMware and OVE may consume the same ONTAP cluster. -
Trident Protect fills the SnapCenter/SRM gap. VMware environments use SnapCenter for application-aware backup and SRM+SRA for DR orchestration. In OVE, Trident Protect provides equivalent functionality through Kubernetes-native CRDs, orchestrating ONTAP snapshots, SnapMirror replication, and application failover without requiring VMware-specific tools.
-
ONTAP's unified protocol support is a strategic advantage. ONTAP serves NFS, iSCSI, NVMe/TCP, SMB, and S3 from the same hardware. This means the organization does not need separate storage arrays for different protocol requirements. A single ONTAP cluster can serve KubeVirt VMs (NFS/iSCSI), Windows file shares (SMB), backup targets (S3), and FabricPool tiering destinations -- all while providing unified data protection (SnapMirror) across all protocols.
Discussion Guide
Use these questions to probe depth of understanding and to challenge vendor claims during PoC evaluation:
ONTAP Architecture:
- If we have 5,000+ VMs, each with a 50 GiB boot disk provisioned via Trident
ontap-nas, how many FlexVolumes does that create? Does the ONTAP controller model support that count? What is the FlexVolume limit per node on our specific AFF model? - How does aggregate sizing affect performance isolation? If we place Gold-tier and Economy-tier volumes on the same aggregate, does a noisy Economy workload affect Gold latency? How does ONTAP adaptive QoS mitigate this?
- We use FabricPool today for VMware datastores. When we migrate to Trident, do the tiering policies carry over, or must they be reconfigured on the StorageClass?
WAFL and Data Services:
- Explain why ONTAP snapshots are zero-cost in terms of write performance. What is a consistency point (CP), and how does the NVRAM journal guarantee crash consistency? How does this compare to Ceph RBD snapshot overhead?
- If a Trident-provisioned volume has 10 snapshots and we delete snapshot #5, does that free space immediately? How does WAFL's block reference counting handle shared blocks between snapshots?
- What is the difference between SnapMirror Async and SnapMirror Sync in terms of impact on write latency at the source? When would we use SM-BC instead of MetroCluster?
Trident CSI Driver:
- Walk through the complete I/O path: a KubeVirt VM running on OpenShift node-3 writes a 4 KiB block to its boot disk backed by an ONTAP NFS PVC. What components are traversed from the VM's virtio-blk device to ONTAP's WAFL layer?
- What happens when a Trident-managed PVC is deleted but the
reclaimPolicyisRetain? Where does the orphaned ONTAP volume end up? How do we reclaim it? - If we need to provision 500 PVCs in a single batch (e.g., a dev/test environment spin-up), does Trident serialize calls to ONTAP or parallelize? What are the ONTAP REST API rate limits?
- Compare
ontap-nasandontap-nas-economyfor a scenario with 10,000 small PVCs (5 GiB each). Which is more appropriate, and why? What is the trade-off in snapshot and clone capability? - How does Trident handle ONTAP controller failover (HA takeover)? Does the Trident controller detect the failover and re-establish sessions, or is this handled transparently at the NFS/iSCSI protocol level?
Migration:
- We plan to import 200 existing ONTAP NFS datastore volumes into Kubernetes via
tridentctl import. What is the impact on running VMware VMs during the import (if using--no-manage)? Can both VMware and OVE access the same volume simultaneously during the transition? - For LUN-based VMware datastores (VMFS on iSCSI), can Trident import the raw LUN? Or must the VMDKs be extracted and re-imported into new Trident-provisioned PVCs?
- What is the rollback plan if the OVE migration fails midway? Can we "un-import" a Trident volume and return it to pure VMware consumption?
ONTAP with Azure Local:
- Azure Local consumes ONTAP via SMB shares and iSCSI LUNs. How does this compare to Trident's dynamic provisioning in terms of operational effort for managing 5,000+ VMs?
- If we choose Azure Local, what ONTAP management tooling replaces the role that Trident fills for OVE? Is SnapCenter sufficient for snapshot and DR automation?
- Can Azure Local leverage ONTAP FlexClone for rapid VM cloning, or must it rely on Hyper-V's native VHDX copy? What is the time and space cost difference for cloning a 100 GiB VM?
Data Protection:
- How does Trident Protect compare to the VMware SRM + SRA model we use today? Does Trident Protect support automated failover (zero-touch DR), or is manual intervention required?
- If we use SnapMirror Consistency Groups for a multi-PVC application (data + logs + config), how does Trident Protect ensure all PVCs are failed over atomically at the DR site?
- For FINMA compliance, we need encryption at rest with external key management. If Trident provisions a volume with
encryption: truein the backend config, does ONTAP use NVE with the configured KMIP server? How do we verify this per-volume?